EDMONTON – Alberta’s privacy commissioner, Jill Clayton (pictured), has written to Health Minister Fred Horne formally requesting he strengthen provincial privacy legislation to include mandatory disclosure of all health information breaches.
Clayton called on Horne to consider amending the province’s Health Information Act, which requires “custodians” to protect the personal health information of Albertans.
Her formal request for changes comes little more than a month after revelations surfaced of a Medicentres data breach that saw the private health information of 620,000 Albertans go missing. The names, health card numbers, birthdates and diagnostic codes of people who visited the clinics between May 2011 and September 2013 was lost when an unencrypted laptop belonging to a consultant was either lost or stolen.
The missing laptop was reported to both the Edmonton police and the privacy commissioner’s office when the loss was discovered last fall, but Horne wasn’t told until months later. While Horne at the time angrily questioned why he wasn’t told about the breach, the incident exposed significant gaps in the province’s Health Information Act, which doesn’t make disclosure of such breaches compulsory.
That’s what Clayton wants changed. Only the Personal Information Protection Act requires an organization to report a breach and gives the commissioner the power to require an organization notify anyone who is affected.
“Including privacy breach notification and reporting requirements in all three of Alberta’s access and privacy laws is an important component of protecting Albertans’ privacy rights and will help put Alberta at the forefront of privacy protection,” Clayton wrote in her letter.
Of the nine provinces and territories that have health privacy legislation, six make it mandatory to disclosure when personal health information is lost, stolen or accessed inappropriately, Clayton pointed out in her letter.
Horne said he was in the process of considering amendments to the Health Information Act, but said he wanted to wait until Clayton’s investigation into the Medicentres breach was completed.
“Obviously, if we’re going to introduce some amendments, we want them to be the right ones, and we want them to address the issues that people have expressed concern about,” he said.
Clayton’s office has said the investigation is being treated as a priority, but couldn’t say how long it would take to complete. Investigations can vary in length from months to years.